Skip to main content
  1. Home
  2. Careers Leaders
  3. Digital products and resources
  4. Compass+ Terms and Conditions

Compass+ Terms and Conditions

PLEASE READ THESE TERMS OF SERVICE CAREFULLY. BY REGISTERING TO USE, CLICKING ‘ACCEPT’, OR USING, OUR PRODUCTS FROM 16 OCTOBER 2024, THE CUSTOMER AGREES TO BE BOUND BY THESE TERMS AND CONDITIONS (“AGREEMENT”). A person entering into this Agreement on an organisation’s behalf represents that they have the authority to do so. 

These Terms and Conditions supersede the previous version dated July 2021 and take effect from 16 October 2024. They apply to your use of the Careers and Enterprise Company “Compass+” digital product which can be accessed here. Use of Compass+ includes accessing, browsing, or registering to use the Service.  

Compass+ is a digital product to benchmark, manage, track and report on your institution’s careers provision at individual learner level. It is funded by the Department for Education (DfE) and its use is recommended by DfE Statutory Guidance, ‘Careers guidance and access for education and training providers’, (January 2023). Compass+ is provided by the Careers and Enterprise Company Limited (“we/our/us/CEC”). We are registered in England and Wales under company number 09432724 and our registered office is 120 Aldersgate St, Barbican, London, EC1A 4JQ. Any reference to “you” or “your” means the Customer school, college, independent training provider or other organisation (including a multi-academy trust, local, combined or mayoral authority) that uses the Service, Application(s) and/or submits Data to us.

1. Definitions 

Term 

Definition 

Administrator 

A user authorised by you to manage Authorised User access to the Service and act as point of contact in relation to compliance of these Terms and Conditions 

Application(s) 

Compass, Compass+ and other SaaS products and applications provided by CEC 

Authorised User 

An individual who you have authorised to use an Application who is your employee, agent, or contractor 

CEC Research 

Research, analytics and analysis carried out by us using Customer Data in accordance with clause 10 of this Agreement 

Compass+ 

The Compass+ SaaS application, as further described in the Documentation 

Customer 

The school, college, independent training provider or other organisation (including a multi-academy trust, local, combined or mayoral authority) 

Customer Data 

All data processed or stored through the Application(s) by Customer or on Customer’s behalf 

Documentation 

Descriptions of and guides to use the Service  

Learner Data 

Personal data about the Customer’s individual Learners  

Reports 

Reports and analysis produced in the Application(s) 

Service 

Your access to Compass+, Documentation, customer support, training and related services we provide to you 

2.  Changes to these terms 

2.1. We may amend these Terms and Conditions at any time without notice to you. The latest version of these Terms and Conditions is published on CEC’s website. If you continue to use the Service after the effective date of an amendment, you will be deemed to have accepted the amended version of these Terms and Conditions. It is the Customer’s responsibility to check these Terms and Conditions from time to time to verify such variations. 

3. Reports and Service 

3.1. You agree that by providing Data to us (either by providing us with access to the Data or by using the Service to upload the Data to the Applications) you are permitting us to analyse the Data and enable you to run Reports.  

3.2. We reserve the right to update, vary or amend the format of the Reports and the Service we provide. 

3.3. You shall be unable to run Reports if (a) after making reasonable requests to you, we do not receive all required information from you, or (b) where you have breached these Terms and Conditions or, (c) in our reasonable opinion, you have not acted in good faith at any time. 

4. Our Obligations 

4.1. We will provide the Service: 

4.1.1. in substantial conformance with the Documentation; 

4.1.2. in compliance with applicable laws including without limitation as required by the Data Processing Agreement at Schedule 1. 

5.  Your Obligations 

5.1. You warrant that: 

5.1.1. you comply with all applicable laws including without limitation as required by the Data Processing Agreement incorporated at Schedule 1; 

5.1.6. you will take all reasonable steps to preserve the security of Customer Data and prevent unauthorised use of the Service; 

5.1.7. you will notify us promptly of any unauthorised access to or use of the Service or if you believe you believe a password has been compromised; 

5.1.5. you will comply with our reasonable instructions regarding your use of the Service in order to preserve the security of Customer Data; and 

5.1.7. you indemnify us and hold us harmless against any claims, losses, costs or expenses incurred due to your breach of this warranty. 

5.3. You warrant that you will not: 

5.3.1. make the Service available to anyone other than Authorised Users; 

5.3.2. upload any Data or other content which is unsuitable, offensive, defamatory, or which breaches any law or rights of third parties; 

5.4 You are responsible for Authorised Users’ compliance with the Terms and Conditions  

5.5 You acknowledge that breach of these Terms and Conditions by you or an Authorised User may result in our suspension or termination of your access to the Service without notice.  

6. Intellectual Property Rights and Feedback 

6.1. We (or our licensors) shall at all times retain ownership of all intellectual property rights in and to the Service including without limitation all software used to provide the Service and all graphics, user interfaces, logos, and trademarks reproduced. Nothing in these Terms and Conditions grants you any legal rights in the Service other than as necessary to enable you to access the Service and use the Applications as specifically authorised by these Terms and Conditions. Customer recognises that the Service and its components are protected by copyright and other laws. 

6.2. We shall at all times retain ownership of all copyright and other intellectual property rights in all and any Reports and analysis generated, any deliverables relating to the Service, and any advice or training given as part of the provision of the Service and, subject to paragraph 6.3, nothing shall be deemed as a release, transfer, assignment or other disposal of these rights. 

6.3. We grant you a non-exclusive, non-transferable, revocable licence to reproduce extracts of, and otherwise use the Reports (including any hardcopy and/or electronic contents) for the purposes of: 

(i) analysing Customer Data to identify areas of strengths and weaknesses and improving standards, and 

(ii) other internal purposes that relate to your use of the Service. 

6.4.  You understand that CEC will not treat any Feedback (as defined below) as confidential, and nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict CEC’s right to use, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer. Feedback will not be considered Customer’s trade secret. (‘Feedback’ refers to any suggestion or idea for improving or otherwise modifying CEC’s products or services that is provided by you to us.) 

7. Functionality 

7.1. We may update the Service from time to time and may change the content or functionality, including without limitation by removing such features and functions, at any time without notice.  

7.2. We do not guarantee that the Service will be free from errors or omissions or that defects in the Service will be corrected.  

7.3. We do not warrant that the Service will meet your requirements. 

8.  Availability 

8.1. We shall use reasonable endeavours to make the Service available but make no warrant of service availability.  

8.2. From time to time, it will be necessary for us to carry out maintenance in respect of the Service which may result in periods of downtime.

9. Use of the Service 

9.1. Nothing in these Terms and Conditions grants you any legal rights to the Service other than as necessary for your internal business and educational purposes only. 

9.2. You and any Authorised Users are not permitted: 

9.2.1. to use the Service on behalf of any other school, educational institution or other organisation without our prior written approval; 

9.2.2. except as expressly permitted by these Terms and Conditions and save to the extent and in the circumstances expressly permitted by law, to rent, lease, sub-license, loan, copy, modify, adapt, merge, translate, reverse engineer, decompile, disassemble or create derivative works based on the whole or any part of the Service (or any associated documentation of these) or use, reproduce or deal in the Service (or any part thereof of these) in any way; 

9.2.3. to transfer the Service (or any associated documentation) or the benefit of these Terms and Conditions to another person unless you have our prior written agreement; 

9.2.4. modify, adapt, edit, abstract, create derivative works of, sell or in any way commercially exploit any part of the Service; 

9.2.5. to frame or mirror any part of the Service without our written consent; 

9.2.6. use the Service to provide outsourced services to third parties or make it available to any third party or allow or permit a third party to do so; or 

9.2.7. combine, merge or otherwise permit the Service to become incorporated in any other program, or arrange or create derivative works based on it. 

10. Customer Data

10.1. Whenever you use the Service to upload Customer Data, you must do so in compliance with these Terms and Conditions. You may not use the Service or Applications in any way which may interfere with or prevent the proper working of the Service. 

10.2. You grant us a royalty-free, non-transferable, non-exclusive licence: 

(i) for the term of our agreement to use the Customer Data to the extent necessary to perform the Service; and 

(ii) to use anonymised or de-identified information extracted from the Data for CEC Research in accordance with clause 10.5 of this Agreement. 

(iii) to share non-personal, aggregated and institution-level data with Local, Combined or Mayoral Authority (or other organisation) hosting a CEC Career Hub covering the Customer’s location, for the purpose of supporting careers education and improving young people’s educational, training and employment outcomes. 

10.3. We shall have the right to disclose your identity to any third party who claims that Data uploaded by you, through the use of the Service constitutes a violation of their intellectual property rights, or of their right to privacy. 

10.4. We will not be responsible, or liable to any third party, for the content or accuracy of any data uploaded by you or any other user of the Service. 

10.5. The Customer agrees that CEC shall be entitled to anonymise, de-identify and/or aggregate Customer Data and use any such outputs for research and development purposes, supporting its public task of improving careers information, careers education projects and programmes, advice, and guidance (CEC Research). CEC research will be conducted to enhance knowledge and services related to education and educational research. To the extent that the CEC Research involves the processing of personal data, the parties agree that CEC shall be the controller and shall take appropriate steps to minimise the risk of identifying individual data subjects. No individuals will be identifiable from data included in CEC’s published reports.  

10.6. The Customer agrees to fulfil transparency obligations to data subjects under Article 5(1)(a) of the UK GDPR on behalf of CEC by informing Learners of CEC’s processing as a Controller as described in 10.5. 

10.7. Other than as set out in clause 10.5 above, CEC shall act as a processor on behalf of the Customer in processing Customer Data for the provision of the Services, and the parties agree that the terms of the Data Processing Agreement at Schedule 1 shall apply. 

11. Viruses

11.1. We do not guarantee that the Service is free from viruses. 

11.3. You must not misuse the Service by introducing any software viruses or other malware that may infect or cause damage to the Service.  

11.4. You must not attempt to access any server, computer or database connected to the Service. You must not attack the Service via a denial-of-service attack or a distributed denial-of service attack.  

11.5. We will not be liable for any loss or damage caused by a distributed denial-of-service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, Data or other proprietary material due to your use of the Service or to your downloading of any material posted on it, or on any website linked to it. 

12. Linking to our website

12.1. You may link to our website, provided you do so in a way that is fair, legal and does not damage our reputation or take advantage of it. 

12.2. You must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part where none exists. 

13.  Third Party Links 

13.1. We make no warranty regarding links from our site and Documentation to sites and resources provided by third parties.   

14. Term 

14.1. These Terms and Conditions are effective until: 

14.1.1. you notify us in writing that you no longer wish to use the Service, giving four weeks’ notice; or 

14.1.2. we terminate your account where you have materially failed to abide by these Terms and Conditions (where such failure is not remediable or has not been remedied within 14 days of written notice from us of such failure); or 

14.1.3. we withdraw the Service from use. 

14.2. Termination of these Terms and Conditions is without prejudice to any rights and remedies which may have accrued up to the date of termination. 

14.3. Upon termination or expiry: 

14.3.1.  Your right to access any part of the Service shall cease; 

14.3.2. The following provisions will survive termination or expiration of this Agreement: Articles and Sections: 6 (Intellectual Property Rights and Feedback), 10 (Data), 15 (Limitation of our Liability); and any other provision of this Agreement that must survive to fulfil its essential purpose. 

15.  Limitation of Our Liability 

15.1. Nothing in these Terms and Conditions excludes or limits our liability for death or personal injury arising from our negligence, or our fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by English law. 

15.2. To the extent permitted by law, we exclude all conditions, warranties, representations or other terms which may apply to the Service, whether express or implied. 

15.3. We will not be liable for any: 

  • loss of profits, sales, business, or revenue; 
  • wasted expenditure including loss of savings (including anticipated savings); 
  • business interruption, loss of business opportunity, goodwill or reputation; 
  • loss or corruption of data; or 
  • indirect or consequential loss or damage. 

15.4. Subject to clauses 15.1 and 15.3 in no event shall our liability exceed £50,000 in respect of all claims in any 12 month period. 

16. Entire Agreement 

16.1. These Terms and Conditions (including the Schedule and the documents referred to herein) constitute the entire agreement between you and us in relation to their subject matter. You acknowledge that you have not relied on any statement, representation or promise made or given by or on behalf of us which is not set out in these Terms and Conditions or any document referred to within them. 

16.2. These Terms and Conditions apply to the exclusion of any other terms and conditions that you may seek to impose or incorporate, or which are implied by trade, custom, practice or course of dealing. 

17. Waiver of Remedies 

17.1. The failure of either party to insist upon strict performance of any provision of these Terms and Conditions or exercise any right or remedy to which it is entitled under these Terms and Conditions shall not constitute a waiver thereof and will not prejudice or restrict the rights of that party and no waiver of any such rights or of any breach of any contractual terms will be deemed to be a waiver of any other right or of any later breach. 

18. Applicable Law 

18.1. These Terms and Conditions (and any non-contractual obligations arising out of or in connection with them) shall be governed by and construed in accordance with English law and each party agrees to submit to the exclusive jurisdiction of the courts of England and Wales. 

19. Events Outside Our Control 

19.1. We will not be liable or responsible for any failure to perform, or delay in performance of, any of our obligations under these Terms and Conditions that is caused by an Event Outside Our Control. An “Event Outside Our Control” is defined below in clause 19.2. 

19.2. An “Event Outside Our Control” means any act or event beyond our reasonable control, including without limitation strikes, lock-outs or other industrial action by third parties, civil commotion, riot, invasion, terrorist attack or threat of terrorist attack, war (whether declared or not) or threat or preparation for war, fire, explosion, storm, flood, earthquake, subsidence, epidemic or other natural disaster, or failure of public or private telecommunications networks. 

19.3. If an Event Outside Our Control takes place that affects the performance of our obligations under these Terms and Conditions: 

19.3.1. we will contact you as soon as reasonably possible to notify you; and 

19.3.2. our obligations under these Terms and Conditions will be suspended and the time for performance of our obligations will be extended for the duration of the Event Outside Our Control. Where the Event Outside Our Control affects our delivery of Service to you, we will arrange a new delivery date with you after the Event Outside Our Control is over. 

20. Rights of Third Parties 

20.1. Except where specifically provided for, a person who is not a party to these Terms and Conditions has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of the Terms and Conditions, but this does not affect any right or remedy of a third party which exists or is available otherwise than pursuant to that Act. 

21. Anti-bribery and Economic Crime 

21.1. For the purposes of this clause 21, the expressions 'adequate procedures', 'associated with', and 'reasonable procedures' shall be construed in accordance with the Bribery Laws and Economic Crime Laws. 'Bribery Laws' means the Bribery Act 2010 and associated guidance published by the Secretary of State for Justice under the Bribery Act 2010. 'Economic Crime Laws' includes the Economic Crime and Corporate Transparency Act 2023 and any associated guidance published by the Secretary of State or other relevant authorities. 

21.2. Each of us and you shall comply with applicable Bribery Laws including ensuring that each party has in place adequate procedures to prevent bribery and adequate procedures to prevent economic crime and use all reasonable endeavours to ensure that: 

21.2.1. all of that party’s personnel; 

21.2.2. all others associated with that party; and 

21.2.3. all of that party’s subcontractors; involved in the performance of these Terms and Conditions so comply. 

21.3. Without limitation to clause 21.2, neither we nor you shall make or receive any bribe (as defined in the Bribery Act 2010) or other improper payment or allow any such to be made or received on our or your behalf, either in the United Kingdom or elsewhere, and shall implement and maintain adequate procedures to ensure that such bribes or payments are not made or received directly or indirectly on our or your behalf. 

21.4. We or you shall immediately notify the other party upon becoming aware of a breach of any of the requirements in this clause 21. 

22. Freedom of Information 

22.1. We agree to provide you all necessary assistance as reasonably requested by you to enable you to respond to a request for information under the Freedom of Information Act 2000 (“FOIA”). 

22.2. You shall, before responding to any request for information pursuant to FOIA, notify us, and we shall both agree whether any information designated by us as commercially sensitive information and/or any other information is exempt from disclosure in accordance with the provisions of FOIA and act accordingly.  

23. General 

23.1. We may transfer our rights and obligations under these Terms and Conditions to another organisation, but this will not affect your rights or our obligations under these Terms and Conditions. We will always notify you in writing or by posting on our website if this happens. 

23.2. You may only transfer your rights or your obligations under these Terms and Conditions to another person if we agree in writing. 

23.3. Each of the clauses of these Terms and Conditions operates separately. If any court or relevant authority decides that any of them are unlawful or unenforceable, the remaining clauses will remain in full force and effect. 

Updated 13 December 2024

Schedule 1 - Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated as Schedule 1 into the Compass+ Terms and Conditions ("Agreement") between CEC ("Processor") and the Customer ("Controller"). This DPA governs the processing of Personal Data by the Processor on behalf of the Controller under the Agreement. Capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

1.1 "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the UK GDPR. 

1.2 "Processing", "Data Controller", "Data Processor" and "Data Subject” shall have the meanings set out in the UK GDPR. 

1.3 "School MIS" refers to the Management Information System used by Customer to manage Learner records, including information about Learners’ identities, educational progress, and other relevant information. 

1.4 "Learner Careers Data" refers to data relating to Learners' careers education, experiences, and intentions as recorded within Compass+. 

1.5 “Data Protection Law” refers to the UK General Data Protection Regulation (EU 2016/679) (UK GDPR), as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 and all other laws applicable to the processing of personal data, including as further amended or modified, and replacement laws.

2. Scope of Data Processing

2.1 Purpose of Processing: The Processor will process Customer Data for the Purpose of:  

  • enabling the Controller (the Customer) to record and manage careers education, experiences, and intentions of Learners 
  • to manage Authorised User access. 
  • to keep Customer Data accurate and up to date 
  • to manage access and to ensure the security of the Customer Data 

2.2 Categories of Data: The Processor may process the following categories of Personal Data: 

  • Learner Identity Data (imports from School MIS): Such as name, date of birth, gender, and unique Learner identifiers, Learner email. 
  • Learner Sensitive Data (imports from School MIS): Special category and other sensitive data including markers of disadvantage such as Free School Meal status, SEND status, EHCP status. 
  • Learner Careers Education and Experiences (input by Controller): Records of Learners' participation in careers-related events or activities, aspirations, and goals. 
  • Learner Careers Intentions (input by Controller): Such as Learners’ stated intentions regarding career paths, further education, or training. 
  • Learner Future Skills Questionnaire (FSQ) response data (input by Controller): Learners’ responses to FSQ questionnaires about careers knowledge 
  • Authorised User Identity Data (input by Controller): Such as Name, Job Title, snmAuthorised User status, contact details 
  • Authorised User Engagement Data (recorded by Processor): Such as use of the Service, Training and event booking and attendance data, records of engagement with Customer Management for product onboarding and support. 
  • Other Data added by Customer: The Processor will necessarily process other data uploaded by the Customer or synchronised from the School MIS. 

2.3 Optional Additional Purpose of Processing: The Controller may opt-in to the Processor’s processing of Customer Data for the Purpose of:  

  • Assisting education providers to identify Young People who may benefit from additional support to make their best next step 

2.4 Optional Additional Categories of Data: If the Controller opts-in to the Additional Purpose at 2.3, the Processor may process the additional categories of Personal Data: 

  • Learner Attendance Data (imports from School MIS) 
  • School-level Data: (recorded by Processor) including Gatsby Benchmark data, Index of Multiple Deprivation (IMD), Pupil Premium status 
  • School-level Careers Data: (recorded by Controller) including Gatsby Benchmark data 

2.5 Categories of Data Subjects: The Data Subjects include Learners enrolled at the Controller’s institution and Authorised Users. 

2.6 Nature of Processing: Processing includes among other things the collection, storage, synchronisation, organisation, and updating of Learner data from the School MIS into the SaaS platform, along with tracking and recording Learner career activities and intentions. 

2.7 Duration of Processing: The Processor will process Personal Data for the duration of the Agreement and any necessary period post-termination to fulfil legal obligations or enable the Controller to export data, unless otherwise instructed by the Controller. Identifiable Learner data will be processed until three years after the cohort has left the School unless the Agreement is terminated earlier. 

3. Controller (Customer) Obligations

3.1 The Customer warrants that: 

  • The Customer Data has been collected, processed and transferred in accordance with the Data Protection Laws as applicable to that data at all times prior to the receipt of that data by the Processor;  
  • Customer Data is Processed on the basis of one or more of the legal grounds set out in Article 6 and where applicable Article 9 of the GDPR or as otherwise provided for in the Data Protection Laws; 
  • It is entitled to transfer the Customer Data in accordance with the Agreement; 
  • The Customer Data is accurate and up to date; 
  • It is the primary point of contact for Data Subjects and shall identify itself as the primary point of contact within privacy notices and other relevant notices and correspondence with Data Subjects; and 
  • It shall be responsible for complying with Data Subject Access Requests in relation to the Customer Data. 

3.2 Each party shall use all reasonable endeavours to provide the other party with full and prompt co-operation and assistance in relation to any Data Subject Request or Communication made to enable the other party to comply with the relevant timescales set out in Data Protection Laws and to find an efficient, timely and amicable solution to any issues arising out of any Data Subject Request or Communication. The other party shall respond to any request for co-operation or assistance under this paragraph 3.2. within five working days. 

4. Processor (CEC) Obligations

4.1 Compliance with Laws: The Processor will process Personal Data in compliance with Data Protection Law. 

4.2 Instructions: The Processor shall process Personal Data only on the Controller’s documented instructions, as provided in this DPA and the Agreement. 

4.3 Technical and Organisational Measures (TOMs): The Processor shall implement appropriate technical and organisational measures to protect Personal Data in accordance with Article 32 of the UK GDPR. Further details are provided in Appendix 2

4.4 Data Breach Notification: The Processor shall notify the Controller without undue delay and no later than 72 hours upon becoming aware of a Personal Data Breach. In such circumstances, the Processor shall promptly provide (to the extent permitted by UK Law): 

  • sufficient information as the Controller (or its advisors) reasonably require to meet any obligations to report a Personal Data Breach under Data Protection Laws; 
  • the Information Commissioner’s Office with such information as may be requested; 
  • all reasonable assistance the Controller (or its advisors) requires. 

4.5 Records: the Processor shall maintain accurate and up to date records of its Processing of the Shared Personal Data. 

4.6 Audits: Not more than once in any 12 month period, upon reasonable prior notice, and on an agreed date which avoids unnecessary disruption to the Controller’s operations, the Processor shall allow for an audit by the Controller or its representative to demonstrate the Processor’s compliance with this Data Processing Agreement. The Controller will be responsible for all costs in relation to such an audit, including but not limited to Processor staff time and expenses. 

5. Sub-Processing

5.1 Authorised Sub-Processors: The Processor may engage Sub-Processors in the provision of the Service. A list of current Sub-Processors is provided in Appendix 1

5.2 Sub-Processor Obligations: The Processor shall carry out appropriate due diligence on Sub-Processors and ensure that any Sub-Processor provides sufficient guarantees to implement appropriate technical and organisational measures to protect Personal Data. 

5.3 Changes to Sub-Processors: The Processor shall update the list of Sub-Processors regularly. Controllers are advised to check the list for updates.  

5.4 Equivalent obligations of Sub-Processors: The Processor shall ensure that sub-processors are subject to equivalent and legally binding obligations which are no less onerous than those applicable to the Processor under this Schedule. This paragraph 5.4 is without prejudice to any disclosure or transfer required by UK Law. 

5.5 Liability of Processor for acts of Sub-Processors: The Processor shall be liable to the Customer for all acts and omissions of each of its Sub-Processors in connection with Customer Data. Each obligation in this Schedule on the Processor to do, or refrain from doing, anything shall include an obligation on that party to ensure all its Sub-Processors do, or refrain from doing, such thing. 

6. International Transfers

6.1 Data Transfer Mechanisms: The Processor shall not transfer Customer Data outside the UK, except to a territory that is subject to adequacy regulations under section 17A of the Data Protection Act 2018 or where appropriate safeguards, such as Standard Contractual Clauses or equivalent measures, are in place in compliance with Data Protection Law. 

6.2 Meaning of ‘Transfer’: For the purposes of this paragraph 7 ‘transfer’ bears the same meaning as the word ‘transfer’ in Article 44 of the UK GDPR. 

7. Data Sharing with Public Authorities

7.1 Legal Compliance: The Processor may disclose certain Personal Data to public authorities if required by law or in response to a valid legal request. Any disclosure shall be limited to what is necessary and legally required. 

7.2 Notification to Controller: Where practicable and legally permissible, the Processor shall inform the Controller of any such disclosure requirements before sharing Personal Data with public authorities. 

8. Data Retention and Deletion

8.1 Retention Period: The Processor will retain Personal Data until the end of three years following the cohort has completed education with the Customer, or for duration of the Agreement if this is shorter. 

8.2 Deletion of Data: Upon termination or expiration of the Agreement,  the Processor shall confidentially and securely delete Personal Data, unless applicable law requires the retention of the Personal Data. 

9. Liability and Indemnities

9.1 Liability Cap: The Processor’s liability for breaches of this DPA shall be governed by the liability provisions of the CEC Digital Products Agreement, except where the Processor’s liability for breaches of Data Protection Laws is excluded or uncapped. 

9.2 Indemnity for Data Breaches: The Processor agrees to indemnify the Controller for damages arising from breaches of data protection obligations caused by the Processor’s wilful or negligent actions, up to the amount specified in the CEC Digital Products Agreement. 

10. Governing Law and Jurisdiction

10.1 Law: This DPA is governed by and construed in accordance with the laws of England and Wales consistent with the governing law of the Compass+ Agreement. 

10.2 Jurisdiction: Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Compass+ Agreement. 

Appendix 1: Sub-Processors 

Sub-processor Name 

Services Provided 

Location 

Aircury Ltd 

Software development; hosting management 

EU 

Amazon Web Services Inc (AWS) 

Hosting  

UK and EU 

AzTech UK Ltd 

IT support; Security services 

UK 

CSP Resources Ltd 

Statistical analysis 

UK 

Groupcall Ltd 

Integrates updates from School MIS 

UK 

Microsoft Limited 

Hosting; Software 

EU 

Appendix 2: Technical and Organisational Measures (TOMs) 

The Processor has implemented the following technical and organisational measures to ensure the security of Personal Data: 

  • Encryption: All Personal Data is encrypted both in transit and at rest using industry-standard encryption protocols (e.g., AES-256). 
  • Access Controls: Role-based access controls (RBAC) are in place to restrict access to Personal Data to authorised personnel only. Minimum access and separation of duty principles are followed. 
  • Network Security: Firewalls, intrusion detection systems (IDS), penetration testing and regular security assessments are conducted to protect against unauthorised access and cyber threats. 
  • Data Backup and Recovery: Regular data backups are performed, and disaster recovery plans are in place to ensure data availability and integrity. 
  • Physical Security: Data centres are secured with physical access controls, surveillance, and environmental safeguards. 
  • Incident Response: An incident response plan is established to promptly address and manage data breaches or security incidents. 
  • Employee Training: Regular training is conducted to ensure that all employees are aware of data protection policies and best practices. 
  • Regular Audits: Periodic security audits and vulnerability assessments are conducted to identify and mitigate potential security risks.
  • CEC’s Information Security Management System is certified to ISO 27001.
  • CEC holds Cyber Essentials Plus certification.